The Portuguese Data Protection Authority (CNPD) recently approved Resolution 2019/494 (Resolution) determining the non-application of some provisions of Law 58/2019, of August 8th (GDPR Implementation Law), which implements the General Data Protection Regulation (GDPR) in the Portuguese legal system.
In the past, CNPD voiced harsh criticisms against the Portuguese legislator upon the examination of Bill 120/XIII on
the implementation of the GDPR (Opinion 20/2018 of May 2nd 2018).
In its Resolution, CNPD sustains that, in addition to the courts, Public Administration bodies are under the obligation to apply EU law in its entirety, and, if necessary, should flout national provisions hindering the full effectiveness of EU law provisions, in line with the case law of the European Court of Justice (see Fratelli Costanzo ruling).
Thus, with a view to ensuring the principle of the primacy of EU law, as well as the consistent application of the GDPR by the supervisory authorities of all Member States, CNPD resolves that it will not apply certain provisions of the GDPR Implementation Law in the personal data processing operations it may assess, insofar as it considers them to contravene GDPR provisions.
The main provisions are highlighted below:
• LABOUR RELATIONS: the invalidity of the employee's consent as a lawful condition for the processing of his/her data, if such processing would result in a legal or economic advantage for the employee (Article 28(3)(a)).
• ADMINISTRATIVE OFFENCES:
• EXPIRY OF CONSENT: provision for the expiry of consent as a motive for termination of the contract to which the data subject is a party, providing that the processing of data is lawful until it occurs (Article 61.2).
• PROVISIONS ON DATA PROTECTION: termination of legal provisions providing for personal data processing authorisations or notifications to CNPD, as from the date of entry into force of the GDPR (not its application date on May 25th, 2018) (Article 62.2).
CNPD further clarifies that the non-application, for future specific cases, of the aforementioned legal provisions shall result in the direct application of GDPR provisions which, in this Resolution, CNPD considers to be restricted, contravened or compromised, in their useful effect, by the GDPR Implementation Law.